1IP(8) Linux IP(8)
2
6 ip - show / manipulate routing, devices, policy routing and tunnels
7
9 ip [ OPTIONS ] OBJECT { COMMAND | help }
10 OBJECT := { link | addr | route | rule | neigh | tunnel | maddr |
13 mroute | monitor }
14 OPTIONS := { -V[ersion] | -s[tatistics] | -r[esolve] | -f[amily] { inet
17 | inet6 | ipx | dnet | link } | -o[neline] }
18 ip link set DEVICE { up | down | arp { on | off } |
20 promisc { on | off } |
21 allmulti { on | off } |
22 dynamic { on | off } |
23 multicast { on | off } |
24 txqueuelen PACKETS |
25 name NEWNAME |
26 address LLADDR | broadcast LLADDR |
27 mtu MTU }
28 ip link show [ DEVICE ]
30 ip addr { add | del } IFADDR dev STRING
32 ip addr { show | flush } [ dev STRING ] [ scope SCOPE-ID ] [ to PREFIX
34 ] [ FLAG-LIST ] [ label PATTERN ]
35 IFADDR := PREFIX | ADDR peer PREFIX [ broadcast ADDR ] [ anycast ADDR ]
37 [ label STRING ] [ scope SCOPE-ID ]
38 SCOPE-ID := [ host | link | global | NUMBER ]
40 FLAG-LIST := [ FLAG-LIST ] FLAG
42 FLAG := [ permanent | dynamic | secondary | primary | tentative | dep‐
44 recated ]
45 ip route { list | flush } SELECTOR
47 ip route get ADDRESS [ from ADDRESS iif STRING ] [ oif STRING ] [ tos
49 TOS ]
50 ip route { add | del | change | append | replace | monitor } ROUTE
52 SELECTOR := [ root PREFIX ] [ match PREFIX ] [ exact PREFIX ] [ table
54 TABLE_ID ] [ proto RTPROTO ] [ type TYPE ] [ scope SCOPE ]
55 ROUTE := NODE_SPEC [ INFO_SPEC ]
57 NODE_SPEC := [ TYPE ] PREFIX [ tos TOS ] [ table TABLE_ID ] [ proto
59 RTPROTO ] [ scope SCOPE ] [ metric METRIC ]
60 INFO_SPEC := NH OPTIONS FLAGS [ nexthop NH ] ...
62 NH := [ via ADDRESS ] [ dev STRING ] [ weight NUMBER ] NHFLAGS
64 OPTIONS := FLAGS [ mtu NUMBER ] [ advmss NUMBER ] [ rtt NUMBER ] [
66 rttvar NUMBER ] [ window NUMBER ] [ cwnd NUMBER ] [ initcwnd
67 NUMBER ] [ ssthresh REALM ] [ realms REALM ]
68 TYPE := [ unicast | local | broadcast | multicast | throw | unreachable
70 | prohibit | blackhole | nat ]
71 TABLE_ID := [ local| main | default | all | NUMBER ]
73 SCOPE := [ host | link | global | NUMBER ]
75 FLAGS := [ equalize ]
77 NHFLAGS := [ onlink | pervasive ]
79 RTPROTO := [ kernel | boot | static | NUMBER ]
81 ip rule [ list | add | del | flush ] SELECTOR ACTION
83 SELECTOR := [ from PREFIX ] [ to PREFIX ] [ tos TOS ] [ fwmark
85 FWMARK[/MASK] ] [ dev STRING ] [ pref NUMBER ]
86 ACTION := [ table TABLE_ID ] [ nat ADDRESS ] [ prohibit | reject |
88 unreachable ] [ realms [SRCREALM/]DSTREALM ]
89 TABLE_ID := [ local | main | default | NUMBER ]
91 ip neigh { add | del | change | replace } { ADDR [ lladdr LLADDR ] [
93 nud { permanent | noarp | stale | reachable } ] | proxy ADDR }
94 [ dev DEV ]
95 ip neigh { show | flush } [ to PREFIX ] [ dev DEV ] [ nud STATE ]
97 ip tunnel { add | change | del | show } [ NAME ]
99 [ mode { ipip | gre | sit } ]
100 [ remote ADDR ] [ local ADDR ]
101 [ [i|o]seq ] [ [i|o]key KEY ] [ [i|o]csum ] ]
102 [ ttl TTL ] [ tos TOS ] [ [no]pmtudisc ]
103 [ dev PHYS_DEV ]
104 ADDR := { IP_ADDRESS | any }
106 TOS := { NUMBER | inherit }
108 TTL := { 1..255 | inherit }
110 KEY := { DOTTED_QUAD | NUMBER }
112 ip maddr [ add | del ] MULTIADDR dev STRING
114 ip maddr show [ dev STRING ]
116 ip mroute show [ PREFIX ] [ from PREFIX ] [ iif DEVICE ]
118 ip monitor [ all | LISTofOBJECTS ]
120
123 -V, -Version
124 print the version of the ip utility and exit.
125 -s, -stats, -statistics
128 output more information. If the option appears twice or more,
129 the amount of information increases. As a rule, the information
130 is statistics or some time values.
131 -f, -family
134 followed by protocol family identifier: inet, inet6 or link
135 ,enforce the protocol family to use. If the option is not
136 present, the protocol family is guessed from other arguments.
137 If the rest of the command line does not give enough information
138 to guess the family, ip falls back to the default one, usually
139 inet or any. link is a special family identifier meaning that
140 no networking protocol is involved.
141 -4 shortcut for -family inet.
144 -6 shortcut for -family inet6.
147 -0 shortcut for -family link.
150 -o, -oneline
153 output each record on a single line, replacing line feeds with
154 the '´ character. This is convenient when you want to count
155 records with wc(1)
156 or to grep(1) the output.
157 -r, -resolve
160 use the system's name resolver to print DNS names instead of
161 host addresses.
162
165 OBJECT
166 link - network device.
167 address
170 - protocol (IP or IPv6) address on a device.
171 neighbour
173 - ARP or NDISC cache entry.
174 route - routing table entry.
177 rule - rule in routing policy database.
180 maddress
183 - multicast address.
184 mroute - multicast routing cache entry.
187 tunnel - tunnel over IP.
190 The names of all objects may be written in full or abbreviated form,
193 f.e. address is abbreviated as addr or just a.
194 COMMAND
197 Specifies the action to perform on the object. The set of possible
198 actions depends on the object type. As a rule, it is possible to add,
199 delete and show (or list ) objects, but some objects do not allow all
200 of these operations or have some additional commands. The help command
201 is available for all objects. It prints out a list of available com‐
202 mands and argument syntax conventions.
203 If no command is given, some default command is assumed. Usually it is
205 list or, if the objects of this class cannot be listed, help.
206
209 link is a network device and the corresponding commands display and
210 change the state of devices.
211 ip link set - change device attributes
214 dev NAME (default)
215 NAME specifies network device to operate on.
216 up and down
219 change the state of the device to UP or DOWN.
220 arp on or arp off
223 change the NOARP flag on the device.
224 multicast on or multicast off
227 change the MULTICAST flag on the device.
228 dynamic on or dynamic off
231 change the DYNAMIC flag on the device.
232 name NAME
235 change the name of the device. This operation is not recom‐
236 mended if the device is running or has some addresses already
237 configured.
238 txqueuelen NUMBER
241 txqlen NUMBER
243 change the transmit queue length of the device.
244 mtu NUMBER
247 change the MTU of the device.
248 address LLADDRESS
251 change the station address of the interface.
252 broadcast LLADDRESS
255 brd LLADDRESS
257 peer LLADDRESS
259 change the link layer broadcast address or the peer address when
260 the interface is POINTOPOINT.
261 Warning: If multiple parameter changes are requested, ip aborts immedi‐
264 ately after any of the changes have failed. This is the only case when
265 ip can move the system to an unpredictable state. The solution is to
266 avoid changing several parameters with one ip link set call.
267 ip link show - display device attributes
270 dev NAME (default)
271 NAME specifies the network device to show. If this argument is
272 omitted all devices are listed.
273 up only display running interfaces.
276
279 The address is a protocol (IP or IPv6) address attached to a network
280 device. Each device must have at least one address to use the corre‐
281 sponding protocol. It is possible to have several different addresses
282 attached to one device. These addresses are not discriminated, so that
283 the term alias is not quite appropriate for them and we do not use it
284 in this document.
285 The ip addr command displays addresses and their properties, adds new
287 addresses and deletes old ones.
288 ip address add - add new protocol address.
291 dev NAME
292 the name of the device to add the address to.
293 local ADDRESS (default)
296 the address of the interface. The format of the address depends
297 on the protocol. It is a dotted quad for IP and a sequence of
298 hexadecimal halfwords separated by colons for IPv6. The ADDRESS
299 may be followed by a slash and a decimal number which encodes
300 the network prefix length.
301 peer ADDRESS
304 the address of the remote endpoint for pointopoint interfaces.
305 Again, the ADDRESS may be followed by a slash and a decimal num‐
306 ber, encoding the network prefix length. If a peer address is
307 specified, the local address cannot have a prefix length. The
308 network prefix is associated with the peer rather than with the
309 local address.
310 broadcast ADDRESS
313 the broadcast address on the interface.
314 It is possible to use the special symbols '+' and '-' instead of
316 the broadcast address. In this case, the broadcast address is
317 derived by setting/resetting the host bits of the interface pre‐
318 fix.
319 label NAME
322 Each address may be tagged with a label string. In order to
323 preserve compatibility with Linux-2.0 net aliases, this string
324 must coincide with the name of the device or must be prefixed
325 with the device name followed by colon.
326 scope SCOPE_VALUE
329 the scope of the area where this address is valid. The avail‐
330 able scopes are listed in file /etc/iproute2/rt_scopes. Prede‐
331 fined scope values are:
332 global - the address is globally valid.
334 site - (IPv6 only) the address is site local, i.e. it is
336 valid inside this site.
337 link - the address is link local, i.e. it is valid only
339 on this device.
340 host - the address is valid only inside this host.
342 ip address delete - delete protocol address
345 Arguments: coincide with the arguments of ip addr add. The device name
346 is a required argument. The rest are optional. If no arguments are
347 given, the first address is deleted.
348 ip address show - look at protocol addresses
351 dev NAME (default)
352 name of device.
353 scope SCOPE_VAL
356 only list addresses with this scope.
357 to PREFIX
360 only list addresses matching this prefix.
361 label PATTERN
364 only list addresses with labels matching the PATTERN. PATTERN
365 is a usual shell style pattern.
366 dynamic and permanent
369 (IPv6 only) only list addresses installed due to stateless
370 address configuration or only list permanent (not dynamic)
371 addresses.
372 tentative
375 (IPv6 only) only list addresses which did not pass duplicate
376 address detection.
377 deprecated
380 (IPv6 only) only list deprecated addresses.
381 primary and secondary
384 only list primary (or secondary) addresses.
385 ip address flush - flush protocol addresses
388 This command flushes the protocol addresses selected by some criteria.
389 This command has the same arguments as show. The difference is that it
392 does not run when no arguments are given.
393 Warning: This command (and other flush commands described below) is
396 pretty dangerous. If you make a mistake, it will not forgive it, but
397 will cruelly purge all the addresses.
398 With the -statistics option, the command becomes verbose. It prints out
401 the number of deleted addresses and the number of rounds made to flush
402 the address list. If this option is given twice, ip addr flush also
403 dumps all the deleted addresses in the format described in the previous
404 subsection.
405
408 neighbour objects establish bindings between protocol addresses and
409 link layer addresses for hosts sharing the same link. Neighbour
410 entries are organized into tables. The IPv4 neighbour table is known by
411 another name - the ARP table.
412 The corresponding commands display neighbour bindings and their proper‐
415 ties, add new neighbour entries and delete old ones.
416 ip neighbour add - add a new neighbour entry
419 ip neighbour change - change an existing entry
420 ip neighbour replace - add a new entry or change an existing one
421 These commands create new neighbour records or update existing ones.
422 to ADDRESS (default)
425 the protocol address of the neighbour. It is either an IPv4 or
426 IPv6 address.
427 dev NAME
430 the interface to which this neighbour is attached.
431 lladdr LLADDRESS
434 the link layer address of the neighbour. LLADDRESS can also be
435 null.
436 nud NUD_STATE
439 the state of the neighbour entry. nud is an abbreviation for
440 'Neigh bour Unreachability Detection'. The state can take one
441 of the following values:
442 permanent - the neighbour entry is valid forever and can
444 be only be removed administratively.
445 noarp - the neighbour entry is valid. No attempts to
448 validate this entry will be made but it can be removed
449 when its lifetime expires.
450 reachable - the neighbour entry is valid until the
453 reachability timeout expires.
454 stale - the neighbour entry is valid but suspicious.
457 This option to ip neigh does not change the neighbour
458 state if it was valid and the address is not changed by
459 this command.
460 ip neighbour delete - delete a neighbour entry
463 This command invalidates a neighbour entry.
464 The arguments are the same as with ip neigh add, except that lladdr and
467 nud are ignored.
468 Warning: Attempts to delete or manually change a noarp entry created by
471 the kernel may result in unpredictable behaviour. Particularly, the
472 kernel may try to resolve this address even on a NOARP interface or if
473 the address is multicast or broadcast.
474 ip neighbour show - list neighbour entries
477 This commands displays neighbour tables.
478 to ADDRESS (default)
481 the prefix selecting the neighbours to list.
482 dev NAME
485 only list the neighbours attached to this device.
486 unused only list neighbours which are not currently in use.
489 nud NUD_STATE
492 only list neighbour entries in this state. NUD_STATE takes val‐
493 ues listed below or the special value all which means all
494 states. This option may occur more than once. If this option
495 is absent, ip lists all entries except for none and noarp.
496 ip neighbour flush - flush neighbour entries
499 This command flushes neighbour tables, selecting entries to flush by
500 some criteria.
501 This command has the same arguments as show. The differences are that
504 it does not run when no arguments are given, and that the default
505 neighbour states to be flushed do not include permanent and noarp.
506 With the -statistics option, the command becomes verbose. It prints
509 out the number of deleted neighbours and the number of rounds made to
510 flush the neighbour table. If the option is given twice, ip neigh
511 flush also dumps all the deleted neighbours.
512
515 Manipulate route entries in the kernel routing tables keep information
516 about paths to other networked nodes.
517 Route types:
519 unicast - the route entry describes real paths to the destina‐
521 tions covered by the route prefix.
522 unreachable - these destinations are unreachable. Packets are
525 discarded and the ICMP message host unreachable is generated.
526 The local senders get an EHOSTUNREACH error.
527 blackhole - these destinations are unreachable. Packets are
530 discarded silently. The local senders get an EINVAL error.
531 prohibit - these destinations are unreachable. Packets are
534 discarded and the ICMP message communication administratively
535 prohibited is generated. The local senders get an EACCES
536 error.
537 local - the destinations are assigned to this host. The pack‐
540 ets are looped back and delivered locally.
541 broadcast - the destinations are broadcast addresses. The
544 packets are sent as link broadcasts.
545 throw - a special control route used together with policy
548 rules. If such a route is selected, lookup in this table is
549 terminated pretending that no route was found. Without policy
550 routing it is equivalent to the absence of the route in the
551 routing table. The packets are dropped and the ICMP message
552 net unreachable is generated. The local senders get an ENETUN‐
553 REACH error.
554 nat - a special NAT route. Destinations covered by the prefix
557 are considered to be dummy (or external) addresses which
558 require translation to real (or internal) ones before forward‐
559 ing. The addresses to translate to are selected with the
560 attribute Warning: Route NAT is no longer supported in Linux
561 2.6.
562 via.
565 anycast - not implemented the destinations are anycast
567 addresses assigned to this host. They are mainly equivalent to
568 local with one difference: such addresses are invalid when used
569 as the source address of any packet.
570 multicast - a special type used for multicast routing. It is
573 not present in normal routing tables.
574 Route tables: Linux-2.x can pack routes into several routing tables
577 identified by a number in the range from 1 to 255 or by name from the
578 file /etc/iproute2/rt_tables main table (ID 254) and the kernel only
579 uses this table when calculating routes.
580 Actually, one other table always exists, which is invisible but even
583 more important. It is the local table (ID 255). This table consists
584 of routes for local and broadcast addresses. The kernel maintains this
585 table automatically and the administrator usually need not modify it or
586 even look at it.
587 The multiple routing tables enter the game when policy routing is used.
589 ip route add - add new route
592 ip route change - change route
593 ip route replace - change or add new one
594 to TYPE PREFIX (default)
595 the destination prefix of the route. If TYPE is omitted, ip
596 assumes type unicast. Other values of TYPE are listed above.
597 PREFIX is an IP or IPv6 address optionally followed by a slash
598 and the prefix length. If the length of the prefix is missing,
599 ip assumes a full-length host route. There is also a special
600 PREFIX default - which is equivalent to IP 0/0 or to IPv6 ::/0.
601 tos TOS
604 dsfield TOS
606 the Type Of Service (TOS) key. This key has no associated mask
607 and the longest match is understood as: First, compare the TOS
608 of the route and of the packet. If they are not equal, then the
609 packet may still match a route with a zero TOS. TOS is either
610 an 8 bit hexadecimal number or an identifier from
611 /etc/iproute2/rt_dsfield.
612 metric NUMBER
615 preference NUMBER
617 the preference value of the route. NUMBER is an arbitrary 32bit
618 number.
619 table TABLEID
622 the table to add this route to. TABLEID may be a number or a
623 string from the file /etc/iproute2/rt_tables. If this parameter
624 is omitted, ip assumes the main table, with the exception of
625 local , broadcast and nat routes, which are put into the local
626 table by default.
627 dev NAME
630 the output device name.
631 via ADDRESS
634 the address of the nexthop router. Actually, the sense of this
635 field depends on the route type. For normal unicast routes it
636 is either the true next hop router or, if it is a direct route
637 installed in BSD compatibility mode, it can be a local address
638 of the interface. For NAT routes it is the first address of the
639 block of translated IP destinations.
640 src ADDRESS
643 the source address to prefer when sending to the destinations
644 covered by the route prefix.
645 realm REALMID
648 the realm to which this route is assigned. REALMID may be a
649 number or a string from the file /etc/iproute2/rt_realms.
650 mtu MTU
653 mtu lock MTU
655 the MTU along the path to the destination. If the modifier lock
656 is not used, the MTU may be updated by the kernel due to Path
657 MTU Discovery. If the modifier lock is used, no path MTU dis‐
658 covery will be tried, all packets will be sent without the DF
659 bit in IPv4 case or fragmented to MTU for IPv6.
660 window NUMBER
663 the maximal window for TCP to advertise to these destinations,
664 measured in bytes. It limits maximal data bursts that our TCP
665 peers are allowed to send to us.
666 rtt NUMBER
669 the initial RTT ('Round Trip Time') estimate.
670 rttvar NUMBER (2.3.15+ only)
673 the initial RTT variance estimate.
674 ssthresh NUMBER (2.3.15+ only)
677 an estimate for the initial slow start threshold.
678 cwnd NUMBER (2.3.15+ only)
681 the clamp for congestion window. It is ignored if the lock flag
682 is not used.
683 initcwnd NUMBER
686 The maximum initial congestion window (cwnd) size in MSS of a
687 TCP connection.
688 advmss NUMBER (2.3.15+ only)
691 the MSS ('Maximal Segment Size') to advertise to these destina‐
692 tions when establishing TCP connections. If it is not given,
693 Linux uses a default value calculated from the first hop device
694 MTU. (If the path to these destination is asymmetric, this
695 guess may be wrong.)
696 reordering NUMBER (2.3.15+ only)
699 Maximal reordering on the path to this destination. If it is
700 not given, Linux uses the value selected with sysctl variable
701 net/ipv4/tcp_reordering.
702 nexthop NEXTHOP
705 the nexthop of a multipath route. NEXTHOP is a complex value
706 with its own syntax similar to the top level argument lists:
707 via ADDRESS - is the nexthop router.
709 dev NAME - is the output device.
712 weight NUMBER - is a weight for this element of a multi‐
715 path route reflecting its relative bandwidth or quality.
716 scope SCOPE_VAL
719 the scope of the destinations covered by the route prefix.
720 SCOPE_VAL may be a number or a string from the file
721 /etc/iproute2/rt_scopes. If this parameter is omitted, ip
722 assumes scope global for all gatewayed unicast routes, scope
723 link for direct unicast and broadcast routes and scope host for
724 local routes.
725 protocol RTPROTO
728 the routing protocol identifier of this route. RTPROTO may be a
729 number or a string from the file /etc/iproute2/rt_protos. If
730 the routing protocol ID is not given, ip assumes protocol boot
731 (i.e. it assumes the route was added by someone who doesn't
732 understand what they are doing). Several protocol values have a
733 fixed interpretation. Namely:
734 redirect - the route was installed due to an ICMP redi‐
736 rect.
737 kernel - the route was installed by the kernel during
740 autoconfiguration.
741 boot - the route was installed during the bootup
744 sequence. If a routing daemon starts, it will purge all
745 of them.
746 static - the route was installed by the administrator to
749 override dynamic routing. Routing daemon will respect
750 them and, probably, even advertise them to its peers.
751 ra - the route was installed by Router Discovery proto‐
754 col.
755 The rest of the values are not reserved and the administrator is
758 free to assign (or not to assign) protocol tags.
759 onlink pretend that the nexthop is directly attached to this link, even
762 if it does not match any interface prefix.
763 equalize
766 allow packet by packet randomization on multipath routes. With‐
767 out this modifier, the route will be frozen to one selected nex‐
768 thop, so that load splitting will only occur on per-flow base.
769 equalize only works if the kernel is patched.
770 ip route delete - delete route
773 ip route del has the same arguments as ip route add, but their seman‐
774 tics are a bit different.
775 Key values (to, tos, preference and table) select the route to delete.
777 If optional attributes are present, ip verifies that they coincide with
778 the attributes of the route to delete. If no route with the given key
779 and attributes was found, ip route del fails.
780 ip route show - list routes
783 the command displays the contents of the routing tables or the route(s)
784 selected by some criteria.
785 to SELECTOR (default)
788 only select routes from the given range of destinations. SELEC‐
789 TOR consists of an optional modifier (root, match or exact) and
790 a prefix. root PREFIX selects routes with prefixes not shorter
791 than PREFIX. F.e. root 0/0 selects the entire routing table.
792 match PREFIX selects routes with prefixes not longer than PRE‐
793 FIX. F.e. match 10.0/16 selects 10.0/16, 10/8 and 0/0, but it
794 does not select 10.1/16 and 10.0.0/24. And exact PREFIX (or
795 just PREFIX) selects routes with this exact prefix. If neither
796 of these options are present, ip assumes root 0/0 i.e. it lists
797 the entire table.
798 tos TOS
801 dsfield TOS only select routes with the given TOS.
802 table TABLEID
805 show the routes from this table(s). The default setting is to
806 show tablemain. TABLEID may either be the ID of a real table or
807 one of the special values:
808 all - list all of the tables.
810 cache - dump the routing cache.
812 cloned
815 cached list cloned routes i.e. routes which were dynamically forked
817 from other routes because some route attribute (f.e. MTU) was
818 updated. Actually, it is equivalent to table cache.
819 from SELECTOR
822 the same syntax as for to, but it binds the source address range
823 rather than destinations. Note that the from option only works
824 with cloned routes.
825 protocol RTPROTO
828 only list routes of this protocol.
829 scope SCOPE_VAL
832 only list routes with this scope.
833 type TYPE
836 only list routes of this type.
837 dev NAME
840 only list routes going via this device.
841 via PREFIX
844 only list routes going via the nexthop routers selected by PRE‐
845 FIX.
846 src PREFIX
849 only list routes with preferred source addresses selected by
850 PREFIX.
851 realm REALMID
854 realms FROMREALM/TOREALM
856 only list routes with these realms.
857 ip route flush - flush routing tables
860 this command flushes routes selected by some criteria.
861 The arguments have the same syntax and semantics as the arguments of ip
864 route show, but routing tables are not listed but purged. The only
865 difference is the default action: show dumps all the IP main routing
866 table but flush prints the helper page.
867 With the -statistics option, the command becomes verbose. It prints out
870 the number of deleted routes and the number of rounds made to flush the
871 routing table. If the option is given twice, ip route flush also dumps
872 all the deleted routes in the format described in the previous subsec‐
873 tion.
874 ip route get - get a single route
877 this command gets a single route to a destination and prints its con‐
878 tents exactly as the kernel sees it.
879 to ADDRESS (default)
882 the destination address.
883 from ADDRESS
886 the source address.
887 tos TOS
890 dsfield TOS
892 the Type Of Service.
893 iif NAME
896 the device from which this packet is expected to arrive.
897 oif NAME
900 force the output device on which this packet will be routed.
901 connected
904 if no source address (option from) was given, relookup the route
905 with the source set to the preferred address received from the
906 first lookup. If policy routing is used, it may be a different
907 route.
908 Note that this operation is not equivalent to ip route show. show
911 shows existing routes. get resolves them and creates new clones if
912 necessary. Essentially, get is equivalent to sending a packet along
913 this path. If the iif argument is not given, the kernel creates a
914 route to output packets towards the requested destination. This is
915 equivalent to pinging the destination with a subsequent ip route ls
916 cache, however, no packets are actually sent. With the iif argument,
917 the kernel pretends that a packet arrived from this interface and
918 searches for a path to forward the packet.
919
922 Rules in the routing policy database control the route selection algo‐
923 rithm.
924 Classic routing algorithms used in the Internet make routing decisions
927 based only on the destination address of packets (and in theory, but
928 not in practice, on the TOS field).
929 In some circumstances we want to route packets differently depending
932 not only on destination addresses, but also on other packet fields:
933 source address, IP protocol, transport protocol ports or even packet
934 payload. This task is called 'policy routing'.
935 To solve this task, the conventional destination based routing table,
938 ordered according to the longest match rule, is replaced with a 'rout‐
939 ing policy database' (or RPDB), which selects routes by executing some
940 set of rules.
941 Each policy routing rule consists of a selector and an action predi‐
944 cate. The RPDB is scanned in the order of increasing priority. The
945 selector of each rule is applied to {source address, destination
946 address, incoming interface, tos, fwmark} and, if the selector matches
947 the packet, the action is performed. The action predicate may return
948 with success. In this case, it will either give a route or failure
949 indication and the RPDB lookup is terminated. Otherwise, the RPDB pro‐
950 gram continues on the next rule.
951 Semantically, natural action is to select the nexthop and the output
954 device.
955 At startup time the kernel configures the default RPDB consisting of
958 three rules:
959 1. Priority: 0, Selector: match anything, Action: lookup routing
962 table local (ID 255). The local table is a special routing ta‐
963 ble containing high priority control routes for local and broad‐
964 cast addresses.
965 Rule 0 is special. It cannot be deleted or overridden.
967 2. Priority: 32766, Selector: match anything, Action: lookup rout‐
970 ing table main (ID 254). The main table is the normal routing
971 table containing all non-policy routes. This rule may be deleted
972 and/or overridden with other ones by the administrator.
973 3. Priority: 32767, Selector: match anything, Action: lookup rout‐
976 ing table default (ID 253). The default table is empty. It is
977 reserved for some post-processing if no previous default rules
978 selected the packet. This rule may also be deleted.
979 Each RPDB entry has additional attributes. F.e. each rule has a
982 pointer to some routing table. NAT and masquerading rules have an
983 attribute to select new IP address to translate/masquerade. Besides
984 that, rules have some optional attributes, which routes have, namely
985 realms. These values do not override those contained in the routing
986 tables. They are only used if the route did not select any attributes.
987 The RPDB may contain rules of the following types:
990 unicast - the rule prescribes to return the route found in the
992 routing table referenced by the rule.
993 blackhole - the rule prescribes to silently drop the packet.
995 unreachable - the rule prescribes to generate a 'Network is
997 unreachable' error.
998 prohibit - the rule prescribes to generate 'Communication is
1000 administratively prohibited' error.
1001 nat - the rule prescribes to translate the source address of
1003 the IP packet into some other value.
1004 ip rule add - insert a new rule
1007 ip rule delete - delete a rule
1008 type TYPE (default)
1009 the type of this rule. The list of valid types was given in the
1010 previous subsection.
1011 from PREFIX
1014 select the source prefix to match.
1015 to PREFIX
1018 select the destination prefix to match.
1019 iif NAME
1022 select the incoming device to match. If the interface is loop‐
1023 back, the rule only matches packets originating from this host.
1024 This means that you may create separate routing tables for for‐
1025 warded and local packets and, hence, completely segregate them.
1026 tos TOS
1029 dsfield TOS
1031 select the TOS value to match.
1032 fwmark MARK
1035 select the fwmark value to match.
1036 priority PREFERENCE
1039 the priority of this rule. Each rule should have an explicitly
1040 set unique priority value.
1041 table TABLEID
1044 the routing table identifier to lookup if the rule selector
1045 matches.
1046 realms FROM/TO
1049 Realms to select if the rule matched and the routing table
1050 lookup succeeded. Realm TO is only used if the route did not
1051 select any realm.
1052 nat ADDRESS
1055 The base of the IP address block to translate (for source
1056 addresses). The ADDRESS may be either the start of the block of
1057 NAT addresses (selected by NAT routes) or a local host address
1058 (or even zero). In the last case the router does not translate
1059 the packets, but masquerades them to this address.
1060 Warning: Changes to the RPDB made with these commands do not
1062 become active immediately. It is assumed that after a script
1063 finishes a batch of updates, it flushes the routing cache with
1064 ip route flush cache.
1065 ip rule flush - also dumps all the deleted rules.
1068 This command has no arguments.
1069 ip rule show - list rules
1072 This command has no arguments.
1073
1076 maddress objects are multicast addresses.
1077 ip maddress show - list multicast addresses
1080 dev NAME (default)
1081 the device name.
1082 ip maddress add - add a multicast address
1085 ip maddress delete - delete a multicast address
1086 these commands attach/detach a static link layer multicast address to
1087 listen on the interface. Note that it is impossible to join protocol
1088 multicast groups statically. This command only manages link layer
1089 addresses.
1090 address LLADDRESS (default)
1093 the link layer multicast address.
1094 dev NAME
1097 the device to join/leave this multicast address.
1098
1101 mroute objects are multicast routing cache entries created by a user
1102 level mrouting daemon (f.e. pimd or mrouted ).
1103 Due to the limitations of the current interface to the multicast rout‐
1105 ing engine, it is impossible to change mroute objects administratively,
1106 so we may only display them. This limitation will be removed in the
1107 future.
1108 ip mroute show - list mroute cache entries
1111 to PREFIX (default)
1112 the prefix selecting the destination multicast addresses to
1113 list.
1114 iif NAME
1117 the interface on which multicast packets are received.
1118 from PREFIX
1121 the prefix selecting the IP source addresses of the multicast
1122 route.
1123
1126 tunnel objects are tunnels, encapsulating packets in IPv4 packets and
1127 then sending them over the IP infrastructure.
1128 ip tunnel add - add a new tunnel
1131 ip tunnel change - change an existing tunnel
1132 ip tunnel delete - destroy a tunnel
1133 name NAME (default)
1134 select the tunnel device name.
1135 mode MODE
1138 set the tunnel mode. Three modes are currently available: ipip,
1139 sit and gre.
1140 remote ADDRESS
1143 set the remote endpoint of the tunnel.
1144 local ADDRESS
1147 set the fixed local address for tunneled packets. It must be an
1148 address on another interface of this host.
1149 ttl N set a fixed TTL N on tunneled packets. N is a number in the
1152 range 1--255. 0 is a special value meaning that packets inherit
1153 the TTL value. The default value is: inherit.
1154 tos T
1157 dsfield T
1159 set a fixed TOS T on tunneled packets. The default value is:
1160 inherit.
1161 dev NAME
1164 bind the tunnel to the device NAME so that tunneled packets will
1165 only be routed via this device and will not be able to escape to
1166 another device when the route to endpoint changes.
1167 nopmtudisc
1170 disable Path MTU Discovery on this tunnel. It is enabled by
1171 default. Note that a fixed ttl is incompatible with this
1172 option: tunnelling with a fixed ttl always makes pmtu discovery.
1173 key K
1176 ikey K
1178 okey K ( only GRE tunnels ) use keyed GRE with key K. K is either a
1180 number or an IP address-like dotted quad. The key parameter
1181 sets the key to use in both directions. The ikey and okey
1182 parameters set different keys for input and output.
1183 csum, icsum, ocsum
1186 ( only GRE tunnels ) generate/require checksums for tunneled
1187 packets. The ocsum flag calculates checksums for outgoing pack‐
1188 ets. The icsum flag requires that all input packets have the
1189 correct checksum. The csum flag is equivalent to the combina‐
1190 tion icsum ocsum.
1191 seq, iseq, oseq
1194 ( only GRE tunnels ) serialize packets. The oseq flag enables
1195 sequencing of outgoing packets. The iseq flag requires that all
1196 input packets are serialized. The seq flag is equivalent to the
1197 combination iseq oseq. It isn't work. Don't use it.
1198 ip tunnel show - list tunnels
1201 This command has no arguments.
1202
1205 The ip utility can monitor the state of devices, addresses and routes
1206 continuously. This option has a slightly different format. Namely,
1207 the monitor command is the first in the command line and then the
1208 object list follows:
1209 ip monitor [ all | LISTofOBJECTS ]
1211 OBJECT-LIST is the list of object types that we want to monitor. It
1213 may contain link, address and route. If no file argument is given, ip
1214 opens RTNETLINK, listens on it and dumps state changes in the format
1215 described in previous sections.
1216 If a file name is given, it does not listen on RTNETLINK, but opens the
1219 file containing RTNETLINK messages saved in binary format and dumps
1220 them. Such a history file can be generated with the rtmon utility.
1221 This utility has a command line syntax similar to ip monitor. Ideally,
1222 rtmon should be started before the first network configuration command
1223 is issued. F.e. if you insert:
1224 rtmon file /var/log/rtmon.log
1226 in a startup script, you will be able to view the full history later.
1228 Certainly, it is possible to start rtmon at any time. It prepends the
1231 history with the state snapshot dumped at the moment of starting.
1232
1235 ip was written by Alexey N. Kuznetsov and added in Linux 2.2.
1236
1238 tc(8)
1239 IP Command reference ip-cref.ps
1240 IP tunnels ip-cref.ps
1241
1244 Original Manpage by Michail Litvak <mci@owl.openwall.com>
1245iproute2 17 January 2002 IP(8)